The PolySwarm Blog

Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure
Regions Targeted: South Asia, Southeast Asia, East Asia
Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell

Executive Summary

A newly identified China-aligned cyberespionage campaign tracked as SHADOW-EARTH-053 is targeting government agencies, defense-adjacent contractors, and critical infrastructure organizations across Asia through exploitation of unpatched Microsoft Exchange and IIS vulnerabilities. The operation relies heavily on legacy Exchange flaws, web shell persistence, ShadowPad malware deployment, credential theft, and covert tunneling infrastructure to maintain long-term access within victim environments. The campaign demonstrates that older but still-exploitable enterprise infrastructure continues to provide reliable access opportunities for state-aligned espionage operators and reinforces the operational importance of proactive detection, behavioral monitoring, and layered telemetry visibility.

Verticals Targeted: Government, Telecommunications, Finance, Aerospace
Regions Targeted: North America, South America, Africa, Europe, Asia
Related Families: Diaoyu Loader, ShadowGuard, Cobalt Strike, VShell

Executive Summary

A sophisticated state-aligned cyberespionage operation attributed to TGR-STA-1030 (also tracked as UNC6619) has been discovered, operating from Asia. It has compromised government and critical infrastructure entities across 37 countries over the past year while conducting reconnaissance against government infrastructure in 155 countries. The group's “Shadow Campaigns” leverage phishing, N-day exploitations, and advanced tooling to prioritize intelligence collection on economic partnerships, trade, and diplomatic activities.